Bug 1499366 - Part 1: Check shift while reading uint32. r=Yoric
authorTooru Fujisawa <arai_a@mac.com>
Tue, 16 Oct 2018 23:11:56 +0900
changeset 489769 bca5f70008c94e9a74c2d8d7272c10edcfa9c404
parent 489768 237c50cb98bca9418e4c2e157371d0bd335b481c
child 489770 c96e54bae30c098a4b10a42721bf58295a1409f7
push id247
push userfmarier@mozilla.com
push dateSat, 27 Oct 2018 01:06:44 +0000
reviewersYoric
bugs1499366
milestone64.0a1
Bug 1499366 - Part 1: Check shift while reading uint32. r=Yoric
js/src/frontend/BinTokenReaderMultipart.cpp
--- a/js/src/frontend/BinTokenReaderMultipart.cpp
+++ b/js/src/frontend/BinTokenReaderMultipart.cpp
@@ -491,16 +491,20 @@ BinTokenReaderMultipart::readInternalUin
         }
 
         result = newResult;
         shift += 7;
 
         if ((byte & 1) == 0) {
             return result;
         }
+
+        if (shift >= 32) {
+            return raiseError("Overflow during readInternalUint32");
+        }
     }
 }
 
 
 BinTokenReaderMultipart::AutoTaggedTuple::AutoTaggedTuple(BinTokenReaderMultipart& reader)
     : AutoBase(reader)
 { }